I've been trying a few things to the extent that I've forgotten how to do basic things (= or ==?, " or \"?)... the overall aim is to have a dashboard panel show only if any input textbox has a value. (If they're all blank, I want to hide it). <input type="text" token="pIP" searchWhenChanged="true"> <label>Enter IP Address</label> <change> <condition match="$pIP$==&quot;&quot; AND $pHost$==&quot;&quot;"> <unset token="X"></unset> But I can't get the token to unset, and I guess it's the speech marks that I'm getting wrong, so I've been trying different ways to get the condition match to work, but haven't got it right yet. <condition match="$pIP$='' AND $pHost$=''"> <!--single-quote marks--> or <condition match="$pIP$=='' AND $pHost$==''"> ... View more

I have a dashboard with some user inputs at the top (IP, hostname, asset ID, etc), and two search panels work correctly when any of the fields are populated. So far, so simple. But when NONE of the inputs are filled out, I don't want the searches to run. I need something like: <panel depends="$input1$ OR $input2$ OR $input3$ or $input4$'"> Once thing I've tried is to concatenate all inputs into one large messy string. On all 4 inputs, I've tried this: <input type="text" token="field1" searchWhenChanged="true"> <change> <eval token="somethingToShow">$input1$+$input2$+$input3$+$input4$</eval> ... <!-- and then, later:--> <panel depends="$somethingToShow$"> However, even when all the inputs are blank, the panel still shows. This is because although $somethingToShow$ is an empty string, it isn't unset. I also tried using a "$countOfInputs" variable which on is set to 0, and whenever input is entered, increments, and whenever input is set to ="", then to decrements. But the problem was that I still couldn't unset it when it was 0. I tried using a hidden input field which I could increment or decrement, and then use to on that value=0. But I couldn't get an input field to be hidden from the user. Questions: How do you apply <depends> to more than one token? How do you unset a token only if multiple other tokens are blank? Is there an overall event, that is invoked when ANY token changes, so that I can unset a token there if all the fields are blank? I can't find any examples of this kind of thing so I guess not. I've been working on this simple concept most of yesterday and today, and have gone through a large number of docs/Splunk answer articles... this is one of those things that is probably too simple to have been spelled out anywhere! ... View more

I have a search that returns the IPs that have recently been blocked the most, and I want to add the "Last Logged On User" to each row of results. Here's the first part: index=firewall earliest=-5m msg="Deny TCP (no connection) from *" | stats count as Q by src_ip| sort -Q | head 3 Results: IP. . . . . . . BLOCKS 10.1.2.3 . . . . 20 10.2.3.4 . . . . 16 10.9.8.7 . . . . 15 I have a search that will return the last logged-on user, but I have to run this manually each time. I need to make a version of this using appendCols where I can insert "IP_from_parent_search" instead of the IP (i.e. 1.2.3.4): search index=windows sourcetype="wineventlog:cef" 1.2.3.4 eventID=ZZZZ | rex "duser=(?<duser>[^ ]*)" | rex "dhost=(?<dhost>[^ ]*)" | search dhost=1.2.3.4 | head 1 The IP (1.2.3.4) appears twice because at first I scan the raw to see if the IP is there. If so, I then look at the particular field (dhost) to see that the IP is there, AND, in the correct part of the event. But I have to manually do this search, and put in the IP. The question is... how do I combine these? The results should look like: IP BLOCKS LASTUSER LastUser_LoginDate 10.1.2.3 20 smithp 20190405T08:00 10.2.3.4 16 joness 20190405T07:52 10.9.8.7 15 admin3 20190405T07:22 My main trouble is how to make the appendCols subsearch refer to the row details for the parent search to get the IP. ... View more

I've got an average session duration (gotten via | Transaction) broken down by EndStatus. EndStatus is the cause of the end of the session (i.e. a a Reset from the client (RST-O), a FIN, etc). This is charted into a barchart. And, as an overlay, I have the count of how many sessions terminated in that way (blue line, fieldname "Q"). So, you can see (for example), if sessions that end in a client-reset are on average much shorter than sessions ended due server sending a RST, and, how many of each ("Q") are occurring. I was going to attach the chart as it'd be easier to understand, but I don't have enough karma to add attachments O_o. What I want is to remove the need for the 2nd axis (showing count), by stating the count of events /in the column titles. In other words, to rename “FIN-O” Status to “FIN-O (8)” and RST-O to “RST-O (95)”. Here's the SPL: index=firewall <SNIP SEARCH DETAILS> | transaction src maxevents=2 startswith=built endswith=teardown | eval EndStatus=case(msg LIKE "%Tunnel has been torn down%","Torn Down",msg LIKE "%SYN Timeout%","SYN Timeout",msg LIKE "%TCP Reset-O from OUTSIDE%", "RST-O",msg LIKE "%TCP Reset%","RST",msg LIKE "%TCP FINs from OUTSIDE%","FIN-O",msg LIKE "%TCP FIN%","FIN",msg LIKE "%Connection timeout%","Connection Timeout",true(),"Other") | eval session_length_in_minutes=duration/60 | chart count AS Q, avg(session_length_in_minutes) by EndStatus I’ve been trying to use "AS" to rename the field using various brackets and tricks, but I don't think it evaluates any dynamic values. | chart count AS Q,avg(session_length_in_minutes) AS [EndStatus+Q] by EndStatus or | avg(session_length_in_minutes) AS "EndStatus"+count by EndStatus There are some similar (ish) questions on here already with answers (I've gone through the suggested answers), but they've not hit the situation where they want an aggregate data in the (new) column names. I've also been trying starting off with STATS, renaming, and piping into RENAME and then CHART. ... View more

I think I might be doing something conceptually wrong with this, but I've tried several combinations throughout the day today, and not managed to get it right. I'm configuring a Service KPI. The intent is to count total active&standby core routers on a network, using the presence of some occasional tunnel traffic. Here's the search I'm using for the KPI, with a "distinct count" calculation (with some real data masked into XXXX,YYYY,ZZZZ): index=XXXX host=YYYY sourcetype=ZZZZ | fields host | bucket _time span=20m The correct answer is "33". Adding things like stats distinct_count(host) and timechart span=20m (etc), I can see 33 active hosts within the 20m window when using normal searches, consistently, for the past year. But when I use the quoted search (and other variants) as a KPI, it always shows "0". I feel like my fundamental approach is wrong, but I can't hit the nail on the head, and could do with some pointers/ideas! ... View more